Results 1  10
of
10
Signature Schemes Based on the Strong RSA Assumption
 ACM TRANSACTIONS ON INFORMATION AND SYSTEM SECURITY
, 1998
"... We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreove ..."
Abstract

Cited by 150 (8 self)
 Add to MetaCart
We describe and analyze a new digital signature scheme. The new scheme is quite efficient, does not require the the signer to maintain any state, and can be proven secure against adaptive chosen message attack under a reasonable intractability assumption, the socalled Strong RSA Assumption. Moreover, a hash function can be incorporated into the scheme in such a way that it is also secure in the random oracle model under the standard RSA Assumption.
Efficient generation of shared RSA keys
 Advances in Cryptology  CRYPTO 97
, 1997
"... We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the ..."
Abstract

Cited by 124 (4 self)
 Add to MetaCart
We describe efficient techniques for a number of parties to jointly generate an RSA key. At the end of the protocol an RSA modulus N = pq is publicly known. None of the parties know the factorization of N. In addition a public encryption exponent is publicly known and each party holds a share of the private exponent that enables threshold decryption. Our protocols are efficient in computation and communication. All results are presented in the honest but curious settings (passive adversary).
A new forwardsecure digital signature scheme
, 2000
"... We improve the BellareMiner (Crypto ’99) construction of signature schemes with forward security in the random oracle model. Our scheme has significantly shorter keys and is, therefore, more practical. By using a direct proof technique not used for forwardsecure schemes before, we are able to prov ..."
Abstract

Cited by 77 (6 self)
 Add to MetaCart
We improve the BellareMiner (Crypto ’99) construction of signature schemes with forward security in the random oracle model. Our scheme has significantly shorter keys and is, therefore, more practical. By using a direct proof technique not used for forwardsecure schemes before, we are able to provide better security bounds for the original construction as well as for our scheme. Bellare and Miner also presented a method for constructing such schemes without the use of the random oracle. We conclude by proposing an improvement to their method and an
Proof Systems for General Statements about Discrete Logarithms
, 1997
"... Proof systems for knowledge of discrete logarithms are an important primitive in cryptography. We identify the basic underlying techniques, generalize these techniques to prove linear relations among discrete logarithms, and propose a notation for describing complex and general statements about know ..."
Abstract

Cited by 62 (5 self)
 Add to MetaCart
Proof systems for knowledge of discrete logarithms are an important primitive in cryptography. We identify the basic underlying techniques, generalize these techniques to prove linear relations among discrete logarithms, and propose a notation for describing complex and general statements about knowledge of discrete logarithms. This notation leads directly to a method for constructing efficient proof systems of knowledge. 1 Introduction Many complex cryptographic systems, such as payment systems (e.g. see [1, 2, 4]) and voting schemes [11], are based on the difficulty of the discrete logarithm problem. These systems make use of various minimumdisclosure proofs of statements about discrete logarithms [13, 7, 6, 10]. Typical examples are efficient proofs of knowledge of a discrete logarithm which are based on Schnorr's digital signature scheme [18] and systems for proving the equality of two discrete logarithms, as used in [8]. The goal of this paper is to identify the basic techniques...
Verifiable encryption, group encryption, and their applications to group signatures and signature sharing schemes
, 2000
"... Abstract. We generalize and improve the security and efficiency ofthe verifiable encryption scheme ofAsokan et al., such that it can rely on more general assumptions, and can be proven secure without assuming random oracles. We extend our basic protocol to a new primitive called verifiable group enc ..."
Abstract

Cited by 51 (8 self)
 Add to MetaCart
Abstract. We generalize and improve the security and efficiency ofthe verifiable encryption scheme ofAsokan et al., such that it can rely on more general assumptions, and can be proven secure without assuming random oracles. We extend our basic protocol to a new primitive called verifiable group encryption. We show how our protocols can be applied to construct group signatures, identity escrow, and signature sharing schemes from a wide range of signature, identification, and encryption schemes already in use. In particular, we achieve perfect separability for all these applications, i.e., all participants can choose their signature and encryption schemes and the keys thereofindependent ofeach other, even without having these applications in mind. 1
Indifferentiability, Impossibility Results on Reductions, and Applications to the Random Oracle Methodology
 Theory of Cryptography  TCC 2004, Lecture Notes in Computer Science
, 2003
"... The goals of this paper are threefold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to another. Secon ..."
Abstract

Cited by 7 (1 self)
 Add to MetaCart
The goals of this paper are threefold. First we introduce and motivate a generalization of the fundamental concept of the indistinguishability of two systems, called indifferentiability. This immediately leads to a generalization of the related notion of reducibility of one system to another. Second, we prove that...
Cryptography Based on Number Fields with Large Regulator
, 2000
"... We explain a variant of the FiatShamir identification and signature protocol that is based on the intractability of computing generators of principal ideals in algebraic number fields. We also ..."
Abstract

Cited by 4 (0 self)
 Add to MetaCart
We explain a variant of the FiatShamir identification and signature protocol that is based on the intractability of computing generators of principal ideals in algebraic number fields. We also
Forking Lemmas in the Ring Signatures' Scenario
 Proc. of Indocrypt’03, Springer LNCS
, 2003
"... Pointcheval and Stern introduced in 1996 some forking lemmas useful to prove the security of a family of digital signature schemes. This family includes, for example, Schnorr's scheme and a modification of ElGamal signature scheme. In this work we generalize... ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
Pointcheval and Stern introduced in 1996 some forking lemmas useful to prove the security of a family of digital signature schemes. This family includes, for example, Schnorr's scheme and a modification of ElGamal signature scheme. In this work we generalize...
Anonymous Authentication With Subset Queries (Extended Abstract)
 in ‘ACM Conference on Computer and Communications Security’, ACM Press
, 1999
"... ) Dan Boneh Matt Franklin dabo@cs.stanford.edu franklin@parc.xerox.com Abstract We develop new schemes for anonymous authentication that support identity escrow. Our protocols also allow a prover to demonstrate membership in an arbitrary subset of users; key revocation is an important special ca ..."
Abstract

Cited by 2 (0 self)
 Add to MetaCart
) Dan Boneh Matt Franklin dabo@cs.stanford.edu franklin@parc.xerox.com Abstract We develop new schemes for anonymous authentication that support identity escrow. Our protocols also allow a prover to demonstrate membership in an arbitrary subset of users; key revocation is an important special case of this feature. Using the FiatShamir heuristic, our interactive authentication protocols yield new constructions for noninteractive group signature schemes. We use the higherresiduosity assumption, which leads to greater ef ciency and more natural security proofs than previous constructions. It also leads to an increased vulnerability to collusion attacks, although countermeasures are available. Keywords: Anonymous authentication. Group signature. Identity escrow. 1 Introduction Consider an oÆce building where each employee is given a smartcard for opening the front door to the building. Employees are often concerned that their movements in and out of the building are being recor...
Special Course on Cryptology/Zero Knowledge: Zero Knowledge Proofs of Identity and Proofs of Knowledge
, 2001
"... Introduction Authentication or proving one's identity can be done in many ways, but a typical way in applications related to computers has been the use of passwords. A big disadvantage in using passwords is, that the party who is verifying the authentication (called the verier) or anyone eavesdropp ..."
Abstract
 Add to MetaCart
Introduction Authentication or proving one's identity can be done in many ways, but a typical way in applications related to computers has been the use of passwords. A big disadvantage in using passwords is, that the party who is verifying the authentication (called the verier) or anyone eavesdropping the communication can later impersonate the original authenticator (called the prover). A more advanced way for authentication is challengeresponse method, where a prover demonstrates the knowledge of a secret by responding to the verier's challenge in a way that is not directly reusable by the verier (e.g. encrypt a random challenge with a secret key). This method, however, might reveal something about the secret, especially so if the verier can choose the challenges that he sends (chosen text attack) [9]. So, the idea of zero knowledge protocols seems to be quite useful and natural in this context. In this survey, we will briey look at zero knowledge proofs of knowledge